Описание
A flaw was found in the Quarkus Cache Runtime. When request processing utilizes a Uni cached using @CacheResult and the cached Uni reuses the initial "completion" context, the processing switches to the cached Uni instead of the request context. This is a problem if the cached Uni context contains sensitive information, and could allow a malicious user to benefit from a POST request returning the response that is meant for another user, gaining access to sensitive data.
Отчет
Red Hat rates this as a Moderate impact due to the difficulty and randomness that is required to successfully exploit this vulnerability.
Меры по смягчению последствий
No mitigation is currently available for this flaw.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat build of Quarkus | io.quarkus/quarkus-cache | Affected | ||
| Red Hat build of Quarkus 2.13.9.Final | io.quarkus/quarkus-cache | Fixed | RHSA-2023:7700 | 07.12.2023 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
A flaw was found in the Quarkus Cache Runtime. When request processing utilizes a Uni cached using @CacheResult and the cached Uni reuses the initial "completion" context, the processing switches to the cached Uni instead of the request context. This is a problem if the cached Uni context contains sensitive information, and could allow a malicious user to benefit from a POST request returning the response that is meant for another user, gaining access to sensitive data.
Quarkus Cache Runtime exposes sensitive information to an unauthorized actor
EPSS
5.3 Medium
CVSS3